|Número de publicación||US7723998 B2|
|Tipo de publicación||Concesión|
|Número de solicitud||US 11/811,729|
|Fecha de publicación||25 May 2010|
|Fecha de presentación||12 Jun 2007|
|Fecha de prioridad||12 Jun 2007|
|También publicado como||EP2158606A1, EP2158606B1, US20080313746, WO2008156568A1|
|Número de publicación||11811729, 811729, US 7723998 B2, US 7723998B2, US-B2-7723998, US7723998 B2, US7723998B2|
|Inventores||Bryan Cary Doi|
|Cesionario original||Itt Manufacturing Enterprises, Inc.|
|Exportar cita||BiBTeX, EndNote, RefMan|
|Citas de patentes (18), Citada por (5), Clasificaciones (13), Eventos legales (3)|
|Enlaces externos: USPTO, Cesión de USPTO, Espacenet|
The present invention relates, in general, to protecting an integrated circuit from unauthorized access by users. More specifically, the present invention relates to embedding a physical mesh into a die surface to deter unauthorized access, where the physical mesh provides active, self checking of an attack to the die surface.
Protection of a die surface from access by unauthorized personnel has been in the past limited to various assembly techniques that make access to the surface of the die difficult. Die coatings that obscure the surface of the die have been used in the past to both hide and protect the surface from attack. There have been some attempts to embed a physical mesh into the coating to deter access, but this mesh is neither active nor self checking.
Die coating and assembly techniques along with an applied static mesh are passive deterrents to attackers, who are trying to reverse engineer, or gain information from devices. While each technique has advantages, one disadvantage is that there is no capability to detect an attack and have the device react to that attack during chip operation. The static nature of the protection allows attackers to attempt to compromise the device security during operation and gain information.
Attackers with access to ion-milling/e-beam equipment are able to etch/grind down through protective coatings, re-stitch damaged bonds and then ion-mill (drill) into the surface of the device and e-beam probe signals within the device. Detection of the physical intrusion into the die surface requires deterring and detecting this form of attack.
Ion-milling is capable of drilling into the surface of the insulating layers to access wires running below the surface. By depositing metal, it is possible to bring buried signals running on these wires to the surface of the die. These signals may be measured with an e-beam probe or may be connected to some other signal on the die.
As will be explained, the present invention advantageously embeds a physical mesh into a die surface during the manufacturing process to deter unauthorized access. In addition, the physical mesh provides active, self checking of an attack to the die surface.
To meet this and other needs, and in view of its purposes, the present invention provides a protection circuit for integrity monitoring of an electronic device. The protection circuit includes (1) a first grid check line interleaved between a first set of conductor lines, each distributing a first potential reference to the electronic device, (2) a second grid check line interleaved between a second set of conductor lines, each distributing a second potential reference to the electronic device, and (3) a grid check circuit coupled to the first and second grid check lines. The first and second grid check lines are configured to provide first and second voltage references, respectively, to the grid check circuit for monitoring the integrity of the electronic device.
The first and second potential references are VDD and VSS, respectively. The first and second voltage references are SSS and SDD, respectively. The VDD potential reference is substantially similar to the SDD voltage reference, and the VSS potential reference is substantially similar to the SSS voltage reference.
The electronic device is a multi-layered device. The first grid check line and the first set of conductor lines are disposed in one single layer of the multi-layered device, and the second grid check line and the second set of conductor lines are disposed in another single layer of the multi-layered device. The first and second sets of conductor lines, respectively, are embedded in adjacent metallization layers for forming a power distribution grid in the electronic device. The first and second grid check lines, respectively, are embedded in the same adjacent metallization layers for forming a voltage difference in the grid check circuit.
The first set of conductor lines are connected to each other and are longitudinally distributed in one metallization layer. The second set of conductors lines are connected to each other and are transversely distributed in another metallization layer. The first grid check line includes a plurality of first grid check lines connected to each other and longitudinally distributed in the one metallization layer, and the second grid check line includes a plurality of second grid check lines connected to each other and transversely distributed in the other metallization layer.
Another embodiment of the invention is a mesh of conductors forming a grid in a multi-layered electronic device. The mesh includes a first set of conductors disposed in one layer forming parallel lines in the one layer, and a second set of conductors disposed in another layer forming parallel lines in the other layer. The first set of conductors is configured to provide a first voltage reference, and the second set of conductors is configured to provide a second voltage reference. At least one grid check circuit is coupled to the first set of conductors and the second set of conductors for monitoring presence and/or absence of at least one of the first or second voltage references. The parallel lines in the one layer and the parallel lines in the other layer are substantially perpendicular to each other.
The multi-layered electronic device includes a first set of power lines and a second set of power lines for providing a potential difference to the electronic device. The first and second set of power lines are different from the first and second set of conductors. The first set of power lines provides a positive voltage reference to the electronic device, and the first set of conductors provides a ground voltage reference. The first set of power lines is interleaved with the first set of conductors in the one layer. The second set of power lines provides a ground voltage reference to the electronic device, and the second set of conductors provides a positive voltage reference. The second set of power lines is interleaved with the second set of conductors in the other layer.
Yet another embodiment of the present invention is a method for integrity monitoring of a multi-layered electronic device. The method includes the steps of: (a) distributing a first potential reference by way of one metallization layer of the electronic device; (b) distributing a second potential reference by way of another metallization layer of the electronic device; (c) distributing a first voltage reference, which is different from the first potential reference in the one metallization layer; (d) distributing a second voltage reference, which is different from the second potential reference in the other metallization layer; and (e) periodically monitoring the distribution of the first and second voltage references to determine the integrity of the multi-layered electronic device.
It is understood that the foregoing general description and the following detailed description are exemplary, but are not restrictive, of the invention.
The invention is best understood from the following detailed description when read in connection with the accompanying figures:
The present invention utilizes, as an example, the top two layers of metal of an integrated circuit. Most high performance sub-micron processes utilize 7-8 layers of metal and the top two layers are typically used for power distribution, clock distribution and assembly. As will be explained, the present invention mixes within the top two layers of metal, a grid check line that runs parallel in each layer to the power grid. The grid check lines are configured to be stimulated and sensed by grid check circuits located at various places around the die, preferably shielded by overlaying metal layers. As will also be explained, the grid check circuits are configured to both stimulate the grid check lines as well as sense them. This allows the grid to be verified from multiple locations around the die with an active send/receive capability.
Referring now to
Fault collectors, generally designated as 12, are placed on the device to collect results of tests performed periodically by each respective grid check circuit. As shown in
A conventional power distribution grid, typically in the top two layers of metal, includes a VDD potential reference distributed by VDD conductor lines 14 and a VSS potential reference (usually ground reference) distributed by VSS conductor lines 13. In the exemplary embodiment, VDD conductor lines 14 and VSS conductor lines 13 are oriented orthogonally with respect to each other. In addition, as best shown in
Interleaved between VDD conductor lines 14 are grid check lines SSS 16 and interleaved between VSS conductor lines 13 are grid check lines SDD 15. As best shown in
As shown in
Completing the description of
As shown in
Referring next to
Also shown in
The grid check circuit 32, which is similar to grid check circuit 30, is shown in
Referring next to
The present invention may include different types of grid check circuits. Exemplary grid check circuits are shown in
Referring first to
Receive inverters 42 a and 42 b are Schmitt triggers for avoiding any possibility of crow-bar current causing a high current condition during the transitions of the SDD and SSS reference voltages. Once stabilized, the input to flip-flop 45, namely NorOut, is controlled by the tampercheck signal, as shown in
The tampercheck signal also enables NAND gate 43. If SDD is a 1-reference and SSS is a O-reference, then NOR gate 44 provides a 1-reference as an output signal, indicating that the SSS and SDD reference signals are in their correct states. The timing is shown in
The checkclock signal is used to latch the value of NorOut, inputted into the D-terminal of D-flip-flop (DFF) 45. The output of the DFF, namely the gridok signal, is sent to the fault collectors (
Completing the description of the operation of grid check circuit 40, the shaded portions of
Accordingly, the architecture of the grid check lines SDD and SSS running throughout the surface of the chip (or circuit board) and interleaved with conductor lines VSS and VDD, respectively, allows the integrity of the grid (or mesh) to be actively checked under circuit control by the present invention. If the device (10, for example) is powered-down and ion-milled, the likelihood of cutting or shorting one of the grid check lines is fairly high. In addition, the ability of independently activating the sensegrid control signals allows checks (or verifications) to be executed across the chip/die with one test circuit (for example, state machine 35 of
An added benefit of assigning the correct polarities to the SSS and SDD reference potentials is that during any ion-milling operation and metal deposition operation, sputtering across the surface and ion-milling is not specific. Consequently, the likelihood is high that during the metal deposition operation, a voltage short may be created between either the SSS or SDD lines and the corresponding adjacent power supply lines VDD or VSS. By correctly choosing the SSS and SDD reference potentials, the present invention is effective in detecting a voltage short to an adjacent power supply line.
A more comprehensive grid check circuit is exemplified by
Referring now to
Similar to the elements shown in
The operation of grid check circuit 60 is explained by reference to
The SDD reference signal is first placed into a 0-level, next into a 1-level, and then into a 0-level, as shown in
When both the SDD signal is at the 1-level and the SSS signal is at the 0-level, NOR gate 64 provides a 1-level output of the NorOut signal, timed as shown in
The tampercheck and checkclock control signals are shown in
If the timing relationship between the NorOut signal and the checkclock signal is correct, as shown in
Referring next to
It will be appreciated that although shown as three separate circuits, (1) the grid check circuit; (2) the fault collector module and (3) the state machine (or a controller) may be integrated into one circuit or two circuits, and may be placed on a layer(s) different from the metallization layers.
It will also be understood that the present invention contemplates verifying the integrity of a multi-layered device by periodically enabling/disabling the grid check circuits through the state machine (or controller). Accordingly, any tampering by an unauthorized user may be continuously monitored. For example, one integrity check may be performed as frequently as many times per second, or as little as every one hour. The integrity check may also be performed during boot-up (power-on) of the electronic device.
The grid check circuit may be utilized for almost any integrated circuit (IC) that utilizes multiple layers of metallization in its fabrication process. In terms of application, it may also be used in new high density packaging forms that rely on silicon substrate or fine lithography substrate materials. Power distribution may be assigned to specific planes within these packages and special on board sensor/test circuits may monitor the integrity, or health of the package by checking for any intrusion into the package itself, even before any attempt is made to attack the surface of the silicon chip. The advantage of utilizing the on-chip metallization planes reduces the need for added manufacturing and yield costs due to additional handling steps associated with post fabrication coatings or other protective mechanical means.
Although the invention is illustrated and described herein with reference to specific embodiments, the invention is not intended to be limited to the details shown. Rather, various modifications may be made in the details within the scope and range of equivalents of the claims and without departing from the invention.
|Patente citada||Fecha de presentación||Fecha de publicación||Solicitante||Título|
|US4691350 *||23 Jun 1986||1 Sep 1987||Ncr Corporation||Security device for stored sensitive data|
|US4807284 *||5 Jun 1987||21 Feb 1989||Ncr Corporation||Security device for sensitive data|
|US4811288 *||24 Jun 1986||7 Mar 1989||Ncr Corporation||Data security device for protecting stored data|
|US5117457 *||24 Ene 1990||26 May 1992||International Business Machines Corp.||Tamper resistant packaging for information protection in electronic circuitry|
|US5159629 *||29 Abr 1991||27 Oct 1992||International Business Machines Corp.||Data protection by detection of intrusion into electronic assemblies|
|US5389738||4 May 1992||14 Feb 1995||Motorola, Inc.||Tamperproof arrangement for an integrated circuit device|
|US5821582||7 Jun 1995||13 Oct 1998||National Semiconductor Corp.||Structures for preventing reverse engineering of integrated circuits|
|US5998858 *||19 Jul 1996||7 Dic 1999||Dallas Semiconductor Corporation||Microcircuit with memory that is protected by both hardware and software|
|US6646565 *||1 Jun 2000||11 Nov 2003||Hewlett-Packard Development Company, L.P.||Point of sale (POS) terminal security system|
|US7054162 *||13 Feb 2001||30 May 2006||Safenet, Inc.||Security module system, apparatus and process|
|US7376073 *||12 Dic 2001||20 May 2008||Ecd Systems, Inc.||Optical storage medium having distortion regions, and a method of modifying an optical storage medium to include distortion regions|
|US7643393 *||5 Feb 2004||5 Ene 2010||Ecd Systems, Inc.||Systems and methods for optical media modification|
|US20060087883 *||11 Oct 2005||27 Abr 2006||Irvine Sensors Corporation||Anti-tamper module|
|US20070018334||21 Oct 2005||25 Ene 2007||Alain Peytavy||Security method for data protection|
|US20080251905 *||13 Abr 2007||16 Oct 2008||Zilog, Inc.||Package-on-package secure module having anti-tamper mesh in the substrate of the upper package|
|US20080251906 *||3 May 2007||16 Oct 2008||Zilog, Inc.||Package-on-package secure module having BGA mesh cap|
|FR2888975A1||Título no disponible|
|WO2004038800A2||16 Oct 2003||6 May 2004||James P Baukus||Multilayered integrated circuit with non functional conductive traces|
|Patente citante||Fecha de presentación||Fecha de publicación||Solicitante||Título|
|US8502396||8 Dic 2008||6 Ago 2013||Broadcom Corporation||Embedded package security tamper mesh|
|US8776260||25 Sep 2012||8 Jul 2014||Broadcom Corporation||Mesh grid protection system|
|US8884757||11 Jul 2011||11 Nov 2014||Verifone, Inc.||Anti-tampering protection assembly|
|US8890298||24 Jun 2013||18 Nov 2014||Broadcom Corporation||Embedded package security tamper mesh|
|WO2013008230A1 *||8 Jul 2012||17 Ene 2013||Verifone, Inc.||Anti-tampering protection assembly|
|Clasificación de EE.UU.||324/555, 713/194, 369/53.21|
|Clasificación internacional||G11B11/00, G06F12/14, H01H31/02|
|Clasificación cooperativa||H01L2924/0002, G06F21/75, H01L23/576, H01L27/02|
|Clasificación europea||H01L23/57B, G06F21/75, H01L27/02|
|12 Jun 2007||AS||Assignment|
Owner name: ITT MANUFACTURING ENTERPRISES, INC.,DELAWARE
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:DOI, BRYAN CARY;REEL/FRAME:019482/0518
Effective date: 20070607
|23 Ene 2012||AS||Assignment|
Owner name: EXELIS INC., VIRGINIA
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ITT MANUFACTURING ENTERPRISES LLC (FORMERLY KNOWN AS ITT MANUFACTURING ENTERPRISES, INC.);REEL/FRAME:027574/0040
Effective date: 20111221
|25 Nov 2013||FPAY||Fee payment|
Year of fee payment: 4